Russia-linked cyberattacks on Ukraine: A timeline

Cyber incidents are playing a central role in the Russia-Ukraine conflict. Here's how events are unfolding along with unanswered questions.

1 2 Page 2
Page 2 of 2

Russia’s National Computer Incident Response & Coordination Center published a list of more than 17,500 IP addresses and 174 internet domains it says are involved in ongoing distributed denial-of-service attacks on Russian domestic targets. The Center also issued recommendations on how to ward off DDoS attacks.

March 3: Ukraine accuses hackers of spreading false information

Ukraine's State Service of Special Communication and Information Protection said that an undisclosed number of official websites of "regional authorities and local governments" had been hijacked and used to spread "lies" about a deal to end the fighting prompted by Russia's invasion. Ukraine says the “enemy” was responsible for the information. Russia denied using hackers to go after its foes.

March 3: Hackers compromised Russian space institute

Hackers compromised a website connected to Russia’s Space Research Institute (IKI), which designs and builds scientific instruments for space experiments. The hackers, purportedly part of a wave of vigilante hackers that took up digital arms following Russia’s invasion of Ukraine, defaced a section of IKI’s website to post vulgar, anti-Russian messages.

March 5: Ukraine says Russian cyberattacks are non-stop

Ukraine's State Service of Special Communications and Information Protection said that "Russian hackers keep on attacking Ukrainian information resources nonstop.” The agency said that sites belonging to the presidency, parliament, the cabinet, the ministry of defense and the ministry of internal affairs were among those hit by distributed denials of service (DDoS) attacks.

March 5: Anonymous claims FSB website take-down

The hacktivist collective Anonymous claims it took down the website of the Federal Security Service (FSB) of Russia. The group further claimed it took down 2,500 websites in Russia and Belarus in support of Ukraine.

March 6: Cybercom’s secret “cybermissions” revealed

Sources say that secret forces from the United States Cyber Command known as “cybermission teams” are in place across Eastern Europe to interfere with Russia’s digital attacks and communications. Although most elements of these teams are classified, it is clear that the cybermissions have tracked some familiar targets, including the activities of the G.R.U., Russia’s military intelligence operations, to try to neutralize their activity. Microsoft has helped in some of these activities.

March 7: Anonymous claims hack into Russian TV

The Anonymous group took responsibility for the hack into the Russian streaming services of state television channels, which are used by the Russian authorities for propaganda and fake news. The group claimed it hacked into the Russian streaming services Wink and Ivi (like Netflix) and live TV channels Russia 24, Channel One, Moscow 24 to broadcast war footage from Ukraine.

March 7: Belarus conducts phishing attacks against Polish military, Ukrainian officials revealed

Google’s Threat Analysis Group said that Russia ally Belarus conducted widespread phishing attacks against members of the Polish military as well as Ukrainian officials. Google also warned hundreds of Ukrainian residents about government-backed hacking attempts in the past year, most of them from Russia.

March 8: Hacktivist crew uses phone bombing software to plead with Russian citizens

The hacktivist crew known as The International Legion Information Technology Battalion 300 (ILIT300) claimed to have phone bombing software created by Ukrainian hacktivists to send out pleas to Russian citizens in the hopes that they will speak out against the conflict in Ukraine. The ILIT300 dubbed their operation #OpPhoneKiss. Nataliya Vasilyeva, a Telegraph Moscow correspondent, confirmed she received one of the phone calls.

March 8: Russian government websites compromised through stats widget

The press service of the Russian Ministry of Economic Development said some of Russia’s federal agencies' websites were compromised in a supply chain attack after unknown attackers hacked the stats widget used to track the number of visitors by multiple government agencies. The hackers were able to publish incorrect content on the pages of the websites.

March 9: Cybercriminals exploit Ukrainian sympathizers

Researchers at Cisco Talos say opportunistic cybercriminals are trying to exploit Ukrainian sympathizers by offering malware purporting to be offensive cyber tools to target Russian entities. Once downloaded, these files infect unwitting users rather than delivering the tools originally advertised. One threat actor offered a DDoS attack tool for use against Russians but instead delivered an information stealer that infected the unwitting victim with malware designed to dump credentials and cryptocurrency-related information.

March 11: Attacks on Russian sites escalated in March

Rostelecom-Solar, the cybersecurity arm of telecom company Rostelecom, the largest digital services provider in Russia, said efforts to disrupt the operations of company websites in Russia jumped in March, with the number of distributed denials of service (DDoS) attacks already exceeding by mid-March those for the whole of February. Russian government entities and state-owned companies were targeted, with the websites of the Kremlin, flagship carrier Aeroflot and major lender Sberbank among those who experienced outages or temporary access issues.

March 15: Ukraine Secret Service detains “hacker” helping Russian troops route phone calls

The Security Service of Ukraine (SSU) said it detained a “hacker” who was providing technical assistance to Russian troops in Ukraine by routing phone calls on their behalf. The hacker also sent text messages to Ukrainian security forces suggesting they surrender.

March 15: Feds warn of Russian state actors exploiting MFA, PrintNightmare flaws

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) to warn organizations that Russian state-sponsored cyber actors have gained network access through exploitation of default multi-factor authentication (MFA) protocols and a critical Windows Print Spooler vulnerability called PrintNightmare to run arbitrary code with system privileges.

March 18: Developer sabotages own code to wipe computers in Russia, Belarus

RIAEvangelist, the maintainer of a popular piece of open source software called node-ipc, faced criticism for deliberately sabotaging their own code to wipe data on computers that used the program in Russia and Belarus. The altered versions of the software deleted all data and overwrote all files on developer's machines and created new text files with "peace" messages.

March 21: Feds reiterate warning of potential malicious Russian cyber activity

In a statement from the White House, President Biden reiterated that “Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we’ve imposed on Russia alongside our allies and partners.” He also urged “private sector partners to harden your cyber defenses immediately by implementing the best practices we have developed together over the last year.” White House cyber advisor Anne Neuberger also appeared at a press briefing to urge “companies to take the steps within your control to act immediately to protect the services millions of Americans rely on and to use the resources the federal government makes available.

March 21: Russia’s top bank warns of malware-laden protestware

Sberbank, Russia’s largest bank, warned its users to stop updating software due to the threat of “protestware,” open source projects whose authors altered their code in opposition to Moscow’s invasion of Ukraine. Although most of the protestware simply conveys antiwar messages, one project contained malicious code to wipe computers in Russia and Belarus.

March 24: U.S. intel analysts say Russia was behind Viasat cyberattack

U.S. intelligence analysts concluded that Russian military spy hackers were behind the cyberattack on Viasat’s satellite broadband service that disrupted Ukraine’s military communications at the start of the war last month. However, the U.S. government did not formally or publicly attribute that attack to Russia.

March 25: U.S., UK charge four Russian officials with critical infrastructure hacking

The U.S. Justice Department and British Foreign Office charged four Russian officials with the malicious hacking of critical infrastructure around the globe, including the U.S. energy and aviation sectors, between 2012 and 2018. One of the officials charged was an employee at a Russian military research institute accused of working with co-conspirators in 2017 to hack the systems of a foreign refinery and to install malicious software. The British Foreign Office suggested that the timing of the charges was directly related to Russian President Vladimir Putin’s “unprovoked and illegal war in Ukraine.”

March 27: Top Ukrainian broadband provider knocked out in cyberattack

Top terrestrial Ukrainian internet and telephone service provider Ukrtelecom was hit by  a massive cyberattack that knocked out its services for hours. Russia denies any involvement in the attack.

March 29: Russia accuses U.S. of malicious attacks

In what some see as an omen that Russia plans to ramp up its malicious cyber activity, the Russian foreign ministry accused the United States of leading a massive campaign of "cyber aggression" behind hundreds of thousands of malicious attacks a day while Russia has troops in Ukraine. The foreign ministry said it believed Ukraine's government, which in February announced the formation of an "IT army,” was involved and had launched an "offensive cyber force.”

March 30: Viasat official says cyberattacks are still ongoing

Viasat said that the multifaceted cyberattack that struck its KA-SAT network resulted in a partial interruption of KA-SAT’s consumer-oriented satellite broadband service, crippling tens of thousands of modems. One Viasat official said that the attacks are ongoing with repeated attempts by the attacker to test the new defenses the company has raised.

March 30: Nation-state threat actors are exploiting Ukraine invasion in malicious campaigns

Google’s Threat Analysis Group said that as part of its efforts to tracking malicious cyber activity related to Russia’s invasion of Ukraine it has observed government-backed actors from China, Iran, North Korea and Russia, and various unattributed groups, using Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links. Financially motivated and criminal actors are also using current events as a means for targeting users.

Copyright © 2022 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Make your voice heard. Share your experience in CSO's Security Priorities Study.